Uh Oh - How I Made My Server Vulnerable With Docker

Docker is a popular cross-platform containerization software package. It essentially allows developers to package up their app
with all the necessary dependencies and enable it to work on many different platforms without any further configuration.

I’ve experimented with Docker containers off and on for the past year or so, mostly using them on my local machine for dev-related stuff. I’ve ran a few Wordpress
containers on my current server before, but in the past month or so I started using the PostGIS, MySQL, and Redis containers to with my public facing sites, and that’s
where my problems started.

Earlier this week I was browsing Reddit and came across an article
detailing how a university lecturer came across a large data leak using Shodan.io, which is a search engine geared towards network security related
subjects. I entered the IP address of my server and was quite suprised to see my Redis database details publically available.

Now, as a bit of a backgrounder, I used UFW to configure my firewall when I first set up my server. I know
that it acts as a “front-end” to iptables, but really didn’t know more than that. I assumed that denying all incoming connections by default, and only allowing
on certain ports would be a done deal. Apparently not.

It turns out that Docker doesn’t play well with UFW at all! This post explains in detail the measures you
need to take in order to have Docker play nice with UFW on Ubuntu. Seeing as I never took those precautions my Docker containers with exposed ports
were not being protected by any type of firewall. I logged into the database from my desktop, which was totally not supposed to be possible, to see
if anyone left me any presents.

I was presented with two keys left of my server (there were supposed to be zero, as I only use this instance for PUB/SUB capability). Both of them
were SSH private keys, one was for a root user for a random machine, the other was for a user at some Russian netsec website that I won’t link here.
What were they used for? Who knows. Perhaps they were placed there for botnets to query and inject into vulnerable servers so their C2 nodes could get access, or
maybe I was compromised much worse than I realize and those were left as a form of digial graffiti from the attackers. Who knows?

Lessons learned

For technologies like Docker, which put complex abstractions over both the file system and network it’s important to understand exactly what each command
or flag you issue does. When I decided to run docker run --name redis -p 6379:6379 -d redis I had no idea that port 6379 would be exposed, and that UFW
would be useless to protect my machine. At least I was able to figure out what happened, if you do even a cursory glance at Shodan there are thoudands
of machines out there that aren’t as lucky!